<!DOCTYPE html>
<html id="docs" lang="en" class="">
	<head>
	<meta charset="utf-8">
<title>Pod Security Policies - Kubernetes</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="shortcut icon" type="image/png" href="../../../../images/favicon.png">
<link rel="stylesheet" type="text/css" href="../../../../css/base_fonts.css">
<link rel="stylesheet" type="text/css" href="../../../../css/styles.css">
<link rel="stylesheet" type="text/css" href="https://code.jquery.com/ui/1.12.1/themes/smoothness/jquery-ui.css">
<link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax/libs/sweetalert/1.1.3/sweetalert.min.css">
<link rel="stylesheet" type="text/css" href="../../../../css/callouts.css">
<link rel="stylesheet" type="text/css" href="../../../../css/custom-jekyll/tags.css">




<meta name="description" content="Pod Security Policies" />
<meta property="og:description" content="Pod Security Policies" />

<meta property="og:url" content="https://kubernetes.io/docs/concepts/policy/pod-security-policy/" />
<meta property="og:title" content="Pod Security Policies - Kubernetes" />

<script
src="https://code.jquery.com/jquery-3.2.1.min.js"
integrity="sha256-hwg4gsxgFZhOsEEamdOYGBf13FyQuiTwlAQgxVSNgt4="
crossorigin="anonymous"></script>
<script
src="https://code.jquery.com/ui/1.12.1/jquery-ui.min.js"
integrity="sha256-VazP97ZCwtekAsvgPBSUwPFKdrwD3unUfSGVYrahUqU="
crossorigin="anonymous"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/sweetalert/1.1.3/sweetalert.min.js"></script>
<script src="../../../../js/script.js"></script>
<script src="../../../../js/custom-jekyll/tags.js"></script>


	</head>
	<body>
		<div id="cellophane" onclick="kub.toggleMenu()"></div>

<header>
    <a href="../../../../index.html" class="logo"></a>

    <div class="nav-buttons" data-auto-burger="primary">
        <ul class="global-nav">
            
            
            <li><a href="../../../home.1">Documentation</a></li>
            
            <li><a href="../../../../blog/index.html">Blog</a></li>
            
            <li><a href="../../../../partners/index.html">Partners</a></li>
            
            <li><a href="../../../../community/index.html">Community</a></li>
            
            <li><a href="../../../../case-studies/index.html">Case Studies</a></li>
            
            
             <li>
                <a href="../../../user-guide/pod-security-policy#">
                    English <span class="ui-icon ui-icon-carat-1-s"></span>
                </a>
                <ul>
                
                    <li><a href="../../../../zh/index.html">中文 Chinese</a></li>
                
                    <li><a href="../../../../ko/index.html">한국어 Korean</a></li>
                
                </ul>
            </li>
         
            <li>
                <a href="../../../user-guide/pod-security-policy#">
                    v1.11 <span class="ui-icon ui-icon-carat-1-s"></span>
                </a>
                <ul>
                
                    <li><a href="https://kubernetes.io">v1.12</a></li>
                
                    <li><a href="../../../../index.html">v1.11</a></li>
                
                    <li><a href="https://v1-10.docs.kubernetes.io">v1.10</a></li>
                
                    <li><a href="https://v1-9.docs.kubernetes.io">v1.9</a></li>
                
                </ul>
            </li>
        </ul>
        
        <a href="../../../tutorials/kubernetes-basics/index.html" class="button" id="tryKubernetes" data-auto-burger-exclude>Try Kubernetes</a>
        <button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
    </div>

    <nav id="mainNav">
        <main data-auto-burger="primary">
        <div class="nav-box">
            <h3><a href="../../../tutorials/stateless-application/hello-minikube/index.html">Get Started</a></h3>
            <p>Ready to get your hands dirty? Build a simple Kubernetes cluster that runs "Hello World" for Node.js.</p>
        </div>
        <div class="nav-box">
            <h3><a href="../../../home.1">Documentation</a></h3>
            <p>Learn how to use Kubernetes with the use of walkthroughs, samples, and reference documentation. You can even <a href="../../../../editdocs/index.html" data-auto-burger-exclude>help contribute to the docs</a>!</p>
        </div>
        <div class="nav-box">
            <h3><a href="../../../../community/index.html">Community</a></h3>
            <p>If you need help, you can connect with other Kubernetes users and the Kubernetes authors, attend community events, and watch video presentations from around the web.</p>
        </div>
        <div class="nav-box">
            <h3><a href="../../../../blog/index.html">Blog</a></h3>
            <p>Read the latest news for Kubernetes and the containers space in general, and get technical how-tos hot off the presses.</p>
        </div>
        </main>
        <main data-auto-burger="primary">
        <div class="left">
            <h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
            <a href="https://github.com/kubernetes/kubernetes" class="button" data-auto-burger-exclude>View On Github</a>
        </div>

        <div class="right">
            <h5 class="github-invite">Explore the community</h5>
            <div class="social">
                <a href="https://twitter.com/kubernetesio" class="twitter"><span>Twitter</span></a>
                <a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
                <a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
                <a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>Stack Overflow</span></a>
                <a href="https://discuss.kubernetes.io" class="mailing-list"><span>Forum</span></a>
                <a href="https://calendar.google.com/calendar/embed?src=nt2tcnbtbied3l6gi2h29slvc0%40group.calendar.google.com" class="calendar"><span>Events Calendar</span></a>
            </div>
        </div>
        <div class="clear" style="clear: both"></div>
        </main>
    </nav>
</header>

		
		
		<section id="hero" class="light-text no-sub">
			









<h1>Concepts</h1>
<h5></h5>








<div id="vendorStrip" class="light-text">
	<ul>
		
		
		<li><a href="../../../home.1">DOCUMENTATION</a></li>
		
		
		<li><a href="../../../setup/index.html">SETUP</a></li>
		
		
		<li><a href="../../index.html" class="YAH">CONCEPTS</a></li>
		
		
		<li><a href="../../../tasks/index.html">TASKS</a></li>
		
		
		<li><a href="../../../tutorials/index.html">TUTORIALS</a></li>
		
		
		<li><a href="../../../reference.1">REFERENCE</a></li>
		
	</ul>
	<div id="searchBox">
		<input type="text" id="search" placeholder="Search" onkeydown="if (event.keyCode==13) window.location.replace('/docs/search/?q=' + this.value)" autofocus="autofocus">
	</div>
</div>

		</section>
		
		
<section id="deprecationWarning">
  <main>
    <div class="content deprecation-warning">
      <h3>
        Documentation for Kubernetes v1.11 is no longer actively maintained. The version you are currently viewing is a static snapshot.
        For up-to-date documentation, see the <a href="https://kubernetes.io/docs/home/">latest</a> version.
      </h3>
    </div>
  </main>
</section>


		<section id="encyclopedia">
			
<div id="docsToc">
     <div class="pi-accordion">
    	
        
        
        
        
        
         
             
                 
             
         
             
                 
             
         
             
                 
                          
                          
                 
             
         
             
         
             
         
             
         
             
         
             
         
         
        
        <a class="item" data-title="Concepts" href="../../index.html"></a>

	
	
		
		
	<div class="item" data-title="Overview">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="What is Kubernetes?" href="../../overview/index.html"></a>

		
	
		
		
<a class="item" data-title="Kubernetes Components" href="../../overview/components.1"></a>

		
	
		
		
<a class="item" data-title="The Kubernetes API" href="../../overview/kubernetes-api/index.html"></a>

		
	
		
		
	<div class="item" data-title="Working with Kubernetes Objects">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Understanding Kubernetes Objects" href="../../overview/working-with-objects/kubernetes-objects.1"></a>

		
	
		
		
<a class="item" data-title="Names" href="../../../user-guide/identifiers"></a>

		
	
		
		
<a class="item" data-title="Namespaces" href="../../overview/working-with-objects/namespaces.1"></a>

		
	
		
		
<a class="item" data-title="Labels and Selectors" href="../../../user-guide/labels"></a>

		
	
		
		
<a class="item" data-title="Annotations" href="../../overview/working-with-objects/annotations.1"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Object Management Using kubectl">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Kubernetes Object Management" href="../../../tutorials/object-management-kubectl/object-management/index.html"></a>

		
	
		
		
<a class="item" data-title="Managing Kubernetes Objects Using Imperative Commands" href="../../../tutorials/object-management-kubectl/imperative-object-management-command/index.html"></a>

		
	
		
		
<a class="item" data-title="Imperative Management of Kubernetes Objects Using Configuration Files" href="../../../tutorials/object-management-kubectl/imperative-object-management-configuration/index.html"></a>

		
	
		
		
<a class="item" data-title="Declarative Management of Kubernetes Objects Using Configuration Files" href="../../../tutorials/object-management-kubectl/declarative-object-management-configuration/index.html"></a>

		
	

		</div>
	</div>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Compute, Storage, and Networking Extensions">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Cluster Administration Overview" href="../../cluster-administration/cluster-administration-overview/index.html"></a>

		
	
		
		
<a class="item" data-title="Certificates" href="../../cluster-administration/certificates/index.html"></a>

		
	
		
		
<a class="item" data-title="Cloud Providers" href="../../cluster-administration/cloud-providers/index.html"></a>

		
	
		
		
<a class="item" data-title="Managing Resources" href="../../cluster-administration/manage-deployment/index.html"></a>

		
	
		
		
<a class="item" data-title="Cluster Networking" href="../../../admin/networking"></a>

		
	
		
		
<a class="item" data-title="Logging Architecture" href="../../cluster-administration/logging.1"></a>

		
	
		
		
<a class="item" data-title="Configuring kubelet Garbage Collection" href="../../cluster-administration/kubelet-garbage-collection/index.html"></a>

		
	
		
		
<a class="item" data-title="Federation" href="../../cluster-administration/federation/index.html"></a>

		
	
		
		
<a class="item" data-title="Proxies in Kubernetes" href="../../cluster-administration/proxies/index.html"></a>

		
	
		
		
<a class="item" data-title="Controller manager metrics" href="../../cluster-administration/controller-metrics/index.html"></a>

		
	
		
		
<a class="item" data-title="Installing Addons" href="../../cluster-administration/addons/index.html"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Kubernetes Architecture">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Nodes" href="../../../admin/node.1"></a>

		
	
		
		
<a class="item" data-title="Master-Node communication" href="../../architecture/master-node-communication/index.html"></a>

		
	
		
		
<a class="item" data-title="Concepts Underlying the Cloud Controller Manager" href="../../architecture/cloud-controller/index.html"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Extending Kubernetes">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Extending your Kubernetes Cluster" href="../../overview/extending/index.html"></a>

		
	
		
		
	<div class="item" data-title="Extending the Kubernetes API">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Extending the Kubernetes API with the aggregation layer" href="../../api-extension/apiserver-aggregation.1"></a>

		
	
		
		
<a class="item" data-title="Custom Resources" href="../../api-extension/custom-resources/index.html"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Compute, Storage, and Networking Extensions">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Network Plugins" href="../../../admin/network-plugins/index.html"></a>

		
	
		
		
<a class="item" data-title="Device Plugins" href="../../cluster-administration/device-plugins.1"></a>

		
	

		</div>
	</div>

		
	
		
		
<a class="item" data-title="Service Catalog" href="../../service-catalog/index.html"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Containers">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Images" href="../../containers/images/index.html"></a>

		
	
		
		
<a class="item" data-title="Container Environment Variables" href="../../containers/container-environment-variables/index.html"></a>

		
	
		
		
<a class="item" data-title="Container Lifecycle Hooks" href="../../containers/container-lifecycle-hooks/index.html"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Workloads">
		<div class="container">
		
		
	
	
		
		
	<div class="item" data-title="Pods">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Pod Overview" href="../../workloads/pods/pod-overview/index.html"></a>

		
	
		
		
<a class="item" data-title="Pods" href="../../../user-guide/pods/index.html"></a>

		
	
		
		
<a class="item" data-title="Pod Lifecycle" href="../../../user-guide/pod-states/index.html"></a>

		
	
		
		
<a class="item" data-title="Init Containers" href="../../abstractions/init-containers/index.html"></a>

		
	
		
		
<a class="item" data-title="Pod Preset" href="../../workloads/pods/podpreset/index.html"></a>

		
	
		
		
<a class="item" data-title="Disruptions" href="../../workloads/pods/disruptions/index.html"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Controllers">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="ReplicaSet" href="../../workloads/controllers/replicaset/index.html"></a>

		
	
		
		
<a class="item" data-title="ReplicationController" href="../../../user-guide/replication-controller/index.html"></a>

		
	
		
		
<a class="item" data-title="Deployments" href="../../workloads/controllers/deployment/index.html"></a>

		
	
		
		
<a class="item" data-title="StatefulSets" href="../../workloads/controllers/statefulset.md"></a>

		
	
		
		
<a class="item" data-title="DaemonSet" href="../../workloads/controllers/daemonset.1"></a>

		
	
		
		
<a class="item" data-title="Garbage Collection" href="../../workloads/controllers/garbage-collection/index.html"></a>

		
	
		
		
<a class="item" data-title="Jobs - Run to Completion" href="../../workloads/controllers/jobs-run-to-completion.1"></a>

		
	
		
		
<a class="item" data-title="CronJob" href="../../workloads/controllers/cron-jobs.1"></a>

		
	

		</div>
	</div>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Configuration">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Configuration Best Practices" href="../../configuration/overview/index.html"></a>

		
	
		
		
<a class="item" data-title="Managing Compute Resources for Containers" href="../../../user-guide/compute-resources/index.html"></a>

		
	
		
		
<a class="item" data-title="Assigning Pods to Nodes" href="../../../user-guide/node-selection/index.html"></a>

		
	
		
		
<a class="item" data-title="Taints and Tolerations" href="../../configuration/taint-and-toleration.1"></a>

		
	
		
		
<a class="item" data-title="Secrets" href="../../../user-guide/secrets.1"></a>

		
	
		
		
<a class="item" data-title="Organizing Cluster Access Using kubeconfig Files" href="../../configuration/organize-cluster-access-kubeconfig/index.html"></a>

		
	
		
		
<a class="item" data-title="Pod Priority and Preemption" href="../../configuration/pod-priority-preemption/index.html"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Services, Load Balancing, and Networking">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Services" href="../../../user-guide/services"></a>

		
	
		
		
<a class="item" data-title="DNS for Services and Pods" href="../../services-networking/dns-pod-service/index.html"></a>

		
	
		
		
<a class="item" data-title="Connecting Applications with Services" href="../../services-networking/connect-applications-service.1"></a>

		
	
		
		
<a class="item" data-title="Ingress" href="../../services-networking/ingress/index.html"></a>

		
	
		
		
<a class="item" data-title="Network Policies" href="../../services-networking/networkpolicies/index.html"></a>

		
	
		
		
<a class="item" data-title="Adding entries to Pod /etc/hosts with HostAliases" href="../../services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/index.html"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Storage">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Volumes" href="../../storage/volumes.1"></a>

		
	
		
		
<a class="item" data-title="Persistent Volumes" href="../../../user-guide/persistent-volumes/index.html"></a>

		
	
		
		
<a class="item" data-title="Storage Classes" href="../../storage/storage-classes.1"></a>

		
	
		
		
<a class="item" data-title="Dynamic Volume Provisioning" href="../../storage/dynamic-provisioning/index.html"></a>

		
	
		
		
<a class="item" data-title="Node-specific Volume Limits" href="../../storage/storage-limits/index.html"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Policies">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Resource Quotas" href="../resource-quotas/index.html"></a>

		
	
		
		
<a class="item" data-title="Pod Security Policies" href="../../../user-guide/pod-security-policy"></a>

		
	

		</div>
	</div>

		
	






     </div> 
    <button class="push-menu-close-button" onclick="kub.toggleToc()"></button>
</div> 

			<div id="docsContent">
				
<p><a href="../../../editdocs#docs/concepts/policy/pod-security-policy.md" id="editPageButton">Edit This Page</a></p>

<h1>Pod Security Policies</h1>



<div style="margin-top: 10px; margin-bottom: 10px;">



<b>FEATURE STATE:</b> <code>Kubernetes v1.11</code>




    
    
    
    
    
<a href="../../../user-guide/pod-security-policy#" id="feature-state-dialog-link" class="ui-state-default ui-corner-all"><span class="ui-icon ui-icon-newwin"></span>beta</a>
<div id="feature-state-dialog" class="ui-dialog-content" title="beta">
This feature is currently in a <em>beta</em> state, meaning:</p>

<ul>
<li>The version names contain beta (e.g. v2beta3).</li>
<li>Code is well tested. Enabling the feature is considered safe. Enabled by default.</li>
<li>Support for the overall feature will not be dropped, though details may change.</li>
<li>The schema and/or semantics of objects may change in incompatible ways in a subsequent beta or stable release. When this happens, we will provide instructions for migrating to the next version. This may require deleting, editing, and re-creating API objects. The editing process may require some thought. This may require downtime for applications that rely on the feature.</li>
<li>Recommended for only non-business-critical uses because of potential for incompatible changes in subsequent releases. If you have multiple clusters that can be upgraded independently, you may be able to relax this restriction.</li>
<li><strong>Please do try our beta features and give feedback on them! After they exit beta, it may not be practical for us to make more changes.</strong></li>
</ul>

</div>
<script>
$(function(){
    
    $( "#feature-state-dialog" ).dialog({
        autoOpen: false,
        width: "600",
        buttons: [
            {
                text: "Ok",
                click: function() {
                    $( this ).dialog( "close" );
                }
            }
        ]
    });

    
    $( "#feature-state-dialog-link" ).click(function( event ) {
        $( "#feature-state-dialog" ).dialog( "open" );
        event.preventDefault();
    });

});
</script>

    

</div>

<p>Pod Security Policies enable fine-grained authorization of pod creation and
updates.</p>









<ul id="markdown-toc">










<li><a href="../../../user-guide/pod-security-policy#what-is-a-pod-security-policy">What is a Pod Security Policy?</a></li>




<li><a href="../../../user-guide/pod-security-policy#enabling-pod-security-policies">Enabling Pod Security Policies</a></li>




<li><a href="../../../user-guide/pod-security-policy#authorizing-policies">Authorizing Policies</a></li>




<li><a href="../../../user-guide/pod-security-policy#policy-order">Policy Order</a></li>




<li><a href="../../../user-guide/pod-security-policy#example">Example</a></li>




<li><a href="../../../user-guide/pod-security-policy#policy-reference">Policy Reference</a></li>



















</ul>


<h2 id="what-is-a-pod-security-policy">What is a Pod Security Policy?</h2>

<p>A <em>Pod Security Policy</em> is a cluster-level resource that controls security
sensitive aspects of the pod specification. The <code>PodSecurityPolicy</code> objects
define a set of conditions that a pod must run with in order to be accepted into
the system, as well as defaults for the related fields. They allow an
administrator to control the following:</p>

<table>
<thead>
<tr>
<th>Control Aspect</th>
<th>Field Names</th>
</tr>
</thead>

<tbody>
<tr>
<td>Running of privileged containers</td>
<td><a href="../../../user-guide/pod-security-policy#privileged"><code>privileged</code></a></td>
</tr>

<tr>
<td>Usage of the root namespaces</td>
<td><a href="../../../user-guide/pod-security-policy#host-namespaces"><code>hostPID</code>, <code>hostIPC</code></a></td>
</tr>

<tr>
<td>Usage of host networking and ports</td>
<td><a href="../../../user-guide/pod-security-policy#host-namespaces"><code>hostNetwork</code>, <code>hostPorts</code></a></td>
</tr>

<tr>
<td>Usage of volume types</td>
<td><a href="../../../user-guide/pod-security-policy#volumes-and-file-systems"><code>volumes</code></a></td>
</tr>

<tr>
<td>Usage of the host filesystem</td>
<td><a href="../../../user-guide/pod-security-policy#volumes-and-file-systems"><code>allowedHostPaths</code></a></td>
</tr>

<tr>
<td>White list of FlexVolume drivers</td>
<td><a href="../../../user-guide/pod-security-policy#flexvolume-drivers"><code>allowedFlexVolumes</code></a></td>
</tr>

<tr>
<td>Allocating an FSGroup that owns the pod&rsquo;s volumes</td>
<td><a href="../../../user-guide/pod-security-policy#volumes-and-file-systems"><code>fsGroup</code></a></td>
</tr>

<tr>
<td>Requiring the use of a read only root file system</td>
<td><a href="../../../user-guide/pod-security-policy#volumes-and-file-systems"><code>readOnlyRootFilesystem</code></a></td>
</tr>

<tr>
<td>The user and group IDs of the container</td>
<td><a href="../../../user-guide/pod-security-policy#users-and-groups"><code>runAsUser</code>, <code>supplementalGroups</code></a></td>
</tr>

<tr>
<td>Restricting escalation to root privileges</td>
<td><a href="../../../user-guide/pod-security-policy#privilege-escalation"><code>allowPrivilegeEscalation</code>, <code>defaultAllowPrivilegeEscalation</code></a></td>
</tr>

<tr>
<td>Linux capabilities</td>
<td><a href="../../../user-guide/pod-security-policy#capabilities"><code>defaultAddCapabilities</code>, <code>requiredDropCapabilities</code>, <code>allowedCapabilities</code></a></td>
</tr>

<tr>
<td>The SELinux context of the container</td>
<td><a href="../../../user-guide/pod-security-policy#selinux"><code>seLinux</code></a></td>
</tr>

<tr>
<td>The AppArmor profile used by containers</td>
<td><a href="../../../user-guide/pod-security-policy#apparmor">annotations</a></td>
</tr>

<tr>
<td>The seccomp profile used by containers</td>
<td><a href="../../../user-guide/pod-security-policy#seccomp">annotations</a></td>
</tr>

<tr>
<td>The sysctl profile used by containers</td>
<td><a href="../../../user-guide/pod-security-policy#sysctl">annotations</a></td>
</tr>
</tbody>
</table>

<h2 id="enabling-pod-security-policies">Enabling Pod Security Policies</h2>

<p>Pod security policy control is implemented as an optional (but recommended)
<a href="../../../admin/admission-controllers/index.html#podsecuritypolicy">admission
controller</a>. PodSecurityPolicies
are enforced by <a href="../../../admin/admission-controllers/index.html#how-do-i-turn-on-an-admission-control-plug-in">enabling the admission
controller</a>,
but doing so without authorizing any policies <strong>will prevent any pods from being
created</strong> in the cluster.</p>

<p>Since the pod security policy API (<code>policy/v1beta1/podsecuritypolicy</code>) is
enabled independently of the admission controller, for existing clusters it is
recommended that policies are added and authorized before enabling the admission
controller.</p>

<h2 id="authorizing-policies">Authorizing Policies</h2>

<p>When a PodSecurityPolicy resource is created, it does nothing. In order to use
it, the requesting user or target pod&rsquo;s <a href="../../../user-guide/service-accounts">service
account</a> must be
authorized to use the policy, by allowing the <code>use</code> verb on the policy.</p>

<p>Most Kubernetes pods are not created directly by users. Instead, they are
typically created indirectly as part of a
<a href="../../workloads/controllers/deployment/index.html">Deployment</a>,
<a href="../../workloads/controllers/replicaset/index.html">ReplicaSet</a>, or other
templated controller via the controller manager. Granting the controller access
to the policy would grant access for <em>all</em> pods created by that the controller,
so the preferred method for authorizing policies is to grant access to the
pod&rsquo;s service account (see <a href="../../../user-guide/pod-security-policy#run-another-pod">example</a>).</p>

<h3 id="via-rbac">Via RBAC</h3>

<p><a href="../../../admin/authorization/rbac/index.html">RBAC</a> is a standard Kubernetes authorization
mode, and can easily be used to authorize use of policies.</p>

<p>First, a <code>Role</code> or <code>ClusterRole</code> needs to grant access to <code>use</code> the desired
policies. The rules to grant access look like this:</p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-yaml" data-lang="yaml">kind:<span style="color:#bbb"> </span>ClusterRole<span style="color:#bbb">
</span><span style="color:#bbb"></span>apiVersion:<span style="color:#bbb"> </span>rbac.authorization.k8s.io/v1<span style="color:#bbb">
</span><span style="color:#bbb"></span>metadata:<span style="color:#bbb">
</span><span style="color:#bbb">  </span>name:<span style="color:#bbb"> </span>&lt;role<span style="color:#bbb"> </span>name<span style="color:#b44;font-style:italic">&gt;
</span><span style="color:#b44;font-style:italic">rules:
</span><span style="color:#b44;font-style:italic">- apiGroups: [&#39;policy&#39;]
</span><span style="color:#b44;font-style:italic">  resources: [&#39;podsecuritypolicies&#39;]
</span><span style="color:#b44;font-style:italic">  verbs:     [&#39;use&#39;]
</span><span style="color:#b44;font-style:italic">  resourceNames:
</span><span style="color:#b44;font-style:italic">  - &lt;list of policies to authorize&gt;</span></code></pre></div>
<p>Then the <code>(Cluster)Role</code> is bound to the authorized user(s):</p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-yaml" data-lang="yaml">kind:<span style="color:#bbb"> </span>ClusterRoleBinding<span style="color:#bbb">
</span><span style="color:#bbb"></span>apiVersion:<span style="color:#bbb"> </span>rbac.authorization.k8s.io/v1<span style="color:#bbb">
</span><span style="color:#bbb"></span>metadata:<span style="color:#bbb">
</span><span style="color:#bbb">  </span>name:<span style="color:#bbb"> </span>&lt;binding<span style="color:#bbb"> </span>name<span style="color:#b44;font-style:italic">&gt;
</span><span style="color:#b44;font-style:italic">roleRef:
</span><span style="color:#b44;font-style:italic">  kind: ClusterRole
</span><span style="color:#b44;font-style:italic">  name: &lt;role name&gt;
</span><span style="color:#b44;font-style:italic">  apiGroup: rbac.authorization.k8s.io
</span><span style="color:#b44;font-style:italic">subjects:
</span><span style="color:#b44;font-style:italic"># Authorize specific service accounts:
</span><span style="color:#b44;font-style:italic">- kind: ServiceAccount
</span><span style="color:#b44;font-style:italic">  name: &lt;authorized service account name&gt;
</span><span style="color:#b44;font-style:italic">  namespace: &lt;authorized pod namespace&gt;
</span><span style="color:#b44;font-style:italic"># Authorize specific users (not recommended):
</span><span style="color:#b44;font-style:italic">- kind: User
</span><span style="color:#b44;font-style:italic">  apiGroup: rbac.authorization.k8s.io
</span><span style="color:#b44;font-style:italic">  name: &lt;authorized user name&gt;</span></code></pre></div>
<p>If a <code>RoleBinding</code> (not a <code>ClusterRoleBinding</code>) is used, it will only grant
usage for pods being run in the same namespace as the binding. This can be
paired with system groups to grant access to all pods run in the namespace:</p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-yaml" data-lang="yaml"><span style="color:#080;font-style:italic"># Authorize all service accounts in a namespace:</span><span style="color:#bbb">
</span><span style="color:#bbb"></span>-<span style="color:#bbb"> </span>kind:<span style="color:#bbb"> </span>Group<span style="color:#bbb">
</span><span style="color:#bbb">  </span>apiGroup:<span style="color:#bbb"> </span>rbac.authorization.k8s.io<span style="color:#bbb">
</span><span style="color:#bbb">  </span>name:<span style="color:#bbb"> </span>system:serviceaccounts<span style="color:#bbb">
</span><span style="color:#bbb"></span><span style="color:#080;font-style:italic"># Or equivalently, all authenticated users in a namespace:</span><span style="color:#bbb">
</span><span style="color:#bbb"></span>-<span style="color:#bbb"> </span>kind:<span style="color:#bbb"> </span>Group<span style="color:#bbb">
</span><span style="color:#bbb">  </span>apiGroup:<span style="color:#bbb"> </span>rbac.authorization.k8s.io<span style="color:#bbb">
</span><span style="color:#bbb">  </span>name:<span style="color:#bbb"> </span>system:authenticated</code></pre></div>
<p>For more examples of RBAC bindings, see <a href="../../../admin/authorization/rbac.1#role-binding-examples">Role Binding
Examples</a>. For a complete
example of authorizing a PodSecurityPolicy, see
<a href="../../../user-guide/pod-security-policy#example">below</a>.</p>

<h3 id="troubleshooting">Troubleshooting</h3>

<ul>
<li>The <a href="../../../admin/kube-controller-manager/index.html">Controller Manager</a> must be run
against <a href="../../../admin/accessing-the-api/index.html">the secured API port</a>, and must not
have superuser permissions. Otherwise requests would bypass authentication and
authorization modules, all PodSecurityPolicy objects would be allowed, and users
would be able to create privileged containers. For more details on configuring
Controller Manager authorization, see <a href="../../../admin/authorization/rbac/index.html#controller-roles">Controller
Roles</a>.</li>
</ul>

<h2 id="policy-order">Policy Order</h2>

<p>In addition to restricting pod creation and update, pod security policies can
also be used to provide default values for many of the fields that it
controls. When multiple policies are available, the pod security policy
controller selects policies in the following order:</p>

<ol>
<li>If any policies successfully validate the pod without altering it, they are
used.</li>
<li>If it is a pod creation request, then the first valid policy in alphabetical
order is used.</li>
<li>Otherwise, if it is a pod update request, an error is returned, because pod mutations
are disallowed during update operations.</li>
</ol>

<h2 id="example">Example</h2>

<p><em>This example assumes you have a running cluster with the PodSecurityPolicy
admission controller enabled and you have cluster admin privileges.</em></p>

<h3 id="set-up">Set up</h3>

<p>Set up a namespace and a service account to act as for this example. We&rsquo;ll use
this service account to mock a non-admin user.</p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">$ kubectl create namespace psp-example
$ kubectl create serviceaccount -n psp-example fake-user
$ kubectl create rolebinding -n psp-example fake-editor --clusterrole<span style="color:#666">=</span>edit --serviceaccount<span style="color:#666">=</span>psp-example:fake-user</code></pre></div>
<p>To make it clear which user we&rsquo;re acting as and save some typing, create 2
aliases:</p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">$ <span style="color:#a2f">alias</span> kubectl-admin<span style="color:#666">=</span><span style="color:#b44">&#39;kubectl -n psp-example&#39;</span>
$ <span style="color:#a2f">alias</span> kubectl-user<span style="color:#666">=</span><span style="color:#b44">&#39;kubectl --as=system:serviceaccount:psp-example:fake-user -n psp-example&#39;</span></code></pre></div>
<h3 id="create-a-policy-and-a-pod">Create a policy and a pod</h3>

<p>Define the example PodSecurityPolicy object in a file. This is a policy that
simply prevents the creation of privileged pods.</p>

<table class="includecode" id="example-psp-yaml">
    <thead>
        <tr>
            <th>
                <a href="https://github.com/kubernetes/website/blob/master/content/en/docs/concepts/policy/example-psp.yaml" download="example-psp.yaml">
                    <code>example-psp.yaml docs/concepts/policy</code>
                </a>
                <img src="../../../../images/copycode.svg" style="max-height:24px" onclick="copyCode('example-psp-yaml')" title="Copy example-psp.yaml to clipboard">
            </th>
        </tr>
    </thead>
    <tbody>
        <tr>
            <td><div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-yaml" data-lang="yaml">apiVersion:<span style="color:#bbb"> </span>policy/v1beta1<span style="color:#bbb">
</span><span style="color:#bbb"></span>kind:<span style="color:#bbb"> </span>PodSecurityPolicy<span style="color:#bbb">
</span><span style="color:#bbb"></span>metadata:<span style="color:#bbb">
</span><span style="color:#bbb">  </span>name:<span style="color:#bbb"> </span>example<span style="color:#bbb">
</span><span style="color:#bbb"></span>spec:<span style="color:#bbb">
</span><span style="color:#bbb">  </span>privileged:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">false</span><span style="color:#bbb">  </span><span style="color:#080;font-style:italic"># Don&#39;t allow privileged pods!</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span><span style="color:#080;font-style:italic"># The rest fills in some required fields.</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span>seLinux:<span style="color:#bbb">
</span><span style="color:#bbb">    </span>rule:<span style="color:#bbb"> </span>RunAsAny<span style="color:#bbb">
</span><span style="color:#bbb">  </span>supplementalGroups:<span style="color:#bbb">
</span><span style="color:#bbb">    </span>rule:<span style="color:#bbb"> </span>RunAsAny<span style="color:#bbb">
</span><span style="color:#bbb">  </span>runAsUser:<span style="color:#bbb">
</span><span style="color:#bbb">    </span>rule:<span style="color:#bbb"> </span>RunAsAny<span style="color:#bbb">
</span><span style="color:#bbb">  </span>fsGroup:<span style="color:#bbb">
</span><span style="color:#bbb">    </span>rule:<span style="color:#bbb"> </span>RunAsAny<span style="color:#bbb">
</span><span style="color:#bbb">  </span>volumes:<span style="color:#bbb">
</span><span style="color:#bbb">  </span>-<span style="color:#bbb"> </span><span style="color:#b44">&#39;*&#39;</span><span style="color:#bbb">
</span><span style="color:#bbb"></span></code></pre></div>  </td>
        </tr>
    </tbody>
</table>

<p>And create it with kubectl:</p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">$ kubectl-admin create -f example-psp.yaml</code></pre></div>
<p>Now, as the unprivileged user, try to create a simple pod:</p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">$ kubectl-user create -f- <span style="color:#b44">&lt;&lt;EOF
</span><span style="color:#b44">apiVersion: v1
</span><span style="color:#b44">kind: Pod
</span><span style="color:#b44">metadata:
</span><span style="color:#b44">  name:      pause
</span><span style="color:#b44">spec:
</span><span style="color:#b44">  containers:
</span><span style="color:#b44">    - name:  pause
</span><span style="color:#b44">      image: k8s.gcr.io/pause
</span><span style="color:#b44">EOF</span>
Error from server <span style="color:#666">(</span>Forbidden<span style="color:#666">)</span>: error when creating <span style="color:#b44">&#34;STDIN&#34;</span>: pods <span style="color:#b44">&#34;pause&#34;</span> is forbidden: unable to validate against any pod security policy: <span style="color:#666">[]</span></code></pre></div>
<p><strong>What happened?</strong> Although the PodSecurityPolicy was created, neither the
pod&rsquo;s service account nor <code>fake-user</code> have permission to use the new policy:</p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">$ kubectl-user auth can-i use podsecuritypolicy/example
no</code></pre></div>
<p>Create the rolebinding to grant <code>fake-user</code> the <code>use</code> verb on the example
policy:</p>

<p><em>Note: This is not the recommended way! See the <a href="../../../user-guide/pod-security-policy#run-another-pod">next section</a>
for the preferred approach.</em></p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">$ kubectl-admin create role psp:unprivileged <span style="color:#b62;font-weight:bold">\
</span><span style="color:#b62;font-weight:bold"></span>    --verb<span style="color:#666">=</span>use <span style="color:#b62;font-weight:bold">\
</span><span style="color:#b62;font-weight:bold"></span>    --resource<span style="color:#666">=</span>podsecuritypolicy <span style="color:#b62;font-weight:bold">\
</span><span style="color:#b62;font-weight:bold"></span>    --resource-name<span style="color:#666">=</span>example
role <span style="color:#b44">&#34;psp:unprivileged&#34;</span> created
$ kubectl-admin create rolebinding fake-user:psp:unprivileged <span style="color:#b62;font-weight:bold">\
</span><span style="color:#b62;font-weight:bold"></span>    --role<span style="color:#666">=</span>psp:unprivileged <span style="color:#b62;font-weight:bold">\
</span><span style="color:#b62;font-weight:bold"></span>    --serviceaccount<span style="color:#666">=</span>psp-example:fake-user
rolebinding <span style="color:#b44">&#34;fake-user:psp:unprivileged&#34;</span> created
$ kubectl-user auth can-i use podsecuritypolicy/example
yes</code></pre></div>
<p>Now retry creating the pod:</p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">$ kubectl-user create -f- <span style="color:#b44">&lt;&lt;EOF
</span><span style="color:#b44">apiVersion: v1
</span><span style="color:#b44">kind: Pod
</span><span style="color:#b44">metadata:
</span><span style="color:#b44">  name:      pause
</span><span style="color:#b44">spec:
</span><span style="color:#b44">  containers:
</span><span style="color:#b44">    - name:  pause
</span><span style="color:#b44">      image: k8s.gcr.io/pause
</span><span style="color:#b44">EOF</span>
pod <span style="color:#b44">&#34;pause&#34;</span> created</code></pre></div>
<p>It works as expected! But any attempts to create a privileged pod should still
be denied:</p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">$ kubectl-user create -f- <span style="color:#b44">&lt;&lt;EOF
</span><span style="color:#b44">apiVersion: v1
</span><span style="color:#b44">kind: Pod
</span><span style="color:#b44">metadata:
</span><span style="color:#b44">  name:      privileged
</span><span style="color:#b44">spec:
</span><span style="color:#b44">  containers:
</span><span style="color:#b44">    - name:  pause
</span><span style="color:#b44">      image: k8s.gcr.io/pause
</span><span style="color:#b44">      securityContext:
</span><span style="color:#b44">        privileged: true
</span><span style="color:#b44">EOF</span>
Error from server <span style="color:#666">(</span>Forbidden<span style="color:#666">)</span>: error when creating <span style="color:#b44">&#34;STDIN&#34;</span>: pods <span style="color:#b44">&#34;privileged&#34;</span> is forbidden: unable to validate against any pod security policy: <span style="color:#666">[</span>spec.containers<span style="color:#666">[</span><span style="color:#666">0</span><span style="color:#666">]</span>.securityContext.privileged: Invalid value: true: Privileged containers are not allowed<span style="color:#666">]</span></code></pre></div>
<p>Delete the pod before moving on:</p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">$ kubectl-user delete pod pause</code></pre></div>
<h3 id="run-another-pod">Run another pod</h3>

<p>Let&rsquo;s try that again, slightly differently:</p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">$ kubectl-user run pause --image<span style="color:#666">=</span>k8s.gcr.io/pause
deployment <span style="color:#b44">&#34;pause&#34;</span> created
$ kubectl-user get pods
No resources found.
$ kubectl-user get events | head -n <span style="color:#666">2</span>
LASTSEEN   FIRSTSEEN   COUNT     NAME              KIND         SUBOBJECT                TYPE      REASON                  SOURCE                                  MESSAGE
1m         2m          <span style="color:#666">15</span>        pause-7774d79b5   ReplicaSet                            Warning   FailedCreate            replicaset-controller                   Error creating: pods <span style="color:#b44">&#34;pause-7774d79b5-&#34;</span> is forbidden: no providers available to validate pod request</code></pre></div>
<p><strong>What happened?</strong> We already bound the <code>psp:unprivileged</code> role for our <code>fake-user</code>,
why are we getting the error <code>Error creating: pods &quot;pause-7774d79b5-&quot; is
forbidden: no providers available to validate pod request</code>? The answer lies in
the source - <code>replicaset-controller</code>. Fake-user successfully created the
deployment (which successfully created a replicaset), but when the replicaset
went to create the pod it was not authorized to use the example
podsecuritypolicy.</p>

<p>In order to fix this, bind the <code>psp:unprivileged</code> role to the pod&rsquo;s service
account instead. In this case (since we didn&rsquo;t specify it) the service account
is <code>default</code>:</p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">$ kubectl-admin create rolebinding default:psp:unprivileged <span style="color:#b62;font-weight:bold">\
</span><span style="color:#b62;font-weight:bold"></span>    --role<span style="color:#666">=</span>psp:unprivileged <span style="color:#b62;font-weight:bold">\
</span><span style="color:#b62;font-weight:bold"></span>    --serviceaccount<span style="color:#666">=</span>psp-example:default
rolebinding <span style="color:#b44">&#34;default:psp:unprivileged&#34;</span> created</code></pre></div>
<p>Now if you give it a minute to retry, the replicaset-controller should
eventually succeed in creating the pod:</p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">$ kubectl-user get pods --watch
NAME                    READY     STATUS    RESTARTS   AGE
pause-7774d79b5-qrgcb   <span style="color:#666">0</span>/1       Pending   <span style="color:#666">0</span>         1s
pause-7774d79b5-qrgcb   <span style="color:#666">0</span>/1       Pending   <span style="color:#666">0</span>         1s
pause-7774d79b5-qrgcb   <span style="color:#666">0</span>/1       ContainerCreating   <span style="color:#666">0</span>         1s
pause-7774d79b5-qrgcb   <span style="color:#666">1</span>/1       Running   <span style="color:#666">0</span>         2s
^C</code></pre></div>
<h3 id="clean-up">Clean up</h3>

<p>Delete the namespace to clean up most of the example resources:</p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">$ kubectl-admin delete ns psp-example
namespace <span style="color:#b44">&#34;psp-example&#34;</span> deleted</code></pre></div>
<p>Note that <code>PodSecurityPolicy</code> resources are not namespaced, and must be cleaned
up separately:</p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-shell" data-lang="shell">$ kubectl-admin delete psp example
podsecuritypolicy <span style="color:#b44">&#34;example&#34;</span> deleted</code></pre></div>
<h3 id="example-policies">Example Policies</h3>

<p>This is the least restricted policy you can create, equivalent to not using the
pod security policy admission controller:</p>

<table class="includecode" id="privileged-psp-yaml">
    <thead>
        <tr>
            <th>
                <a href="https://github.com/kubernetes/website/blob/master/content/en/docs/concepts/policy/privileged-psp.yaml" download="privileged-psp.yaml">
                    <code>privileged-psp.yaml docs/concepts/policy</code>
                </a>
                <img src="../../../../images/copycode.svg" style="max-height:24px" onclick="copyCode('privileged-psp-yaml')" title="Copy privileged-psp.yaml to clipboard">
            </th>
        </tr>
    </thead>
    <tbody>
        <tr>
            <td><div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-yaml" data-lang="yaml">apiVersion:<span style="color:#bbb"> </span>policy/v1beta1<span style="color:#bbb">
</span><span style="color:#bbb"></span>kind:<span style="color:#bbb"> </span>PodSecurityPolicy<span style="color:#bbb">
</span><span style="color:#bbb"></span>metadata:<span style="color:#bbb">
</span><span style="color:#bbb">  </span>name:<span style="color:#bbb"> </span>privileged<span style="color:#bbb">
</span><span style="color:#bbb">  </span>annotations:<span style="color:#bbb">
</span><span style="color:#bbb">    </span>seccomp.security.alpha.kubernetes.io/allowedProfileNames:<span style="color:#bbb"> </span><span style="color:#b44">&#39;*&#39;</span><span style="color:#bbb">
</span><span style="color:#bbb"></span>spec:<span style="color:#bbb">
</span><span style="color:#bbb">  </span>privileged:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">true</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span>allowPrivilegeEscalation:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">true</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span>allowedCapabilities:<span style="color:#bbb">
</span><span style="color:#bbb">  </span>-<span style="color:#bbb"> </span><span style="color:#b44">&#39;*&#39;</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span>volumes:<span style="color:#bbb">
</span><span style="color:#bbb">  </span>-<span style="color:#bbb"> </span><span style="color:#b44">&#39;*&#39;</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span>hostNetwork:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">true</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span>hostPorts:<span style="color:#bbb">
</span><span style="color:#bbb">  </span>-<span style="color:#bbb"> </span>min:<span style="color:#bbb"> </span><span style="color:#666">0</span><span style="color:#bbb">
</span><span style="color:#bbb">    </span>max:<span style="color:#bbb"> </span><span style="color:#666">65535</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span>hostIPC:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">true</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span>hostPID:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">true</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span>runAsUser:<span style="color:#bbb">
</span><span style="color:#bbb">    </span>rule:<span style="color:#bbb"> </span><span style="color:#b44">&#39;RunAsAny&#39;</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span>seLinux:<span style="color:#bbb">
</span><span style="color:#bbb">    </span>rule:<span style="color:#bbb"> </span><span style="color:#b44">&#39;RunAsAny&#39;</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span>supplementalGroups:<span style="color:#bbb">
</span><span style="color:#bbb">    </span>rule:<span style="color:#bbb"> </span><span style="color:#b44">&#39;RunAsAny&#39;</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span>fsGroup:<span style="color:#bbb">
</span><span style="color:#bbb">    </span>rule:<span style="color:#bbb"> </span><span style="color:#b44">&#39;RunAsAny&#39;</span><span style="color:#bbb">
</span><span style="color:#bbb"></span></code></pre></div>  </td>
        </tr>
    </tbody>
</table>

<p>This is an example of a restrictive policy that requires users to run as an
unprivileged user, blocks possible escalations to root, and requires use of
several security mechanisms.</p>

<table class="includecode" id="restricted-psp-yaml">
    <thead>
        <tr>
            <th>
                <a href="https://github.com/kubernetes/website/blob/master/content/en/docs/concepts/policy/restricted-psp.yaml" download="restricted-psp.yaml">
                    <code>restricted-psp.yaml docs/concepts/policy</code>
                </a>
                <img src="../../../../images/copycode.svg" style="max-height:24px" onclick="copyCode('restricted-psp-yaml')" title="Copy restricted-psp.yaml to clipboard">
            </th>
        </tr>
    </thead>
    <tbody>
        <tr>
            <td><div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-yaml" data-lang="yaml">apiVersion:<span style="color:#bbb"> </span>policy/v1beta1<span style="color:#bbb">
</span><span style="color:#bbb"></span>kind:<span style="color:#bbb"> </span>PodSecurityPolicy<span style="color:#bbb">
</span><span style="color:#bbb"></span>metadata:<span style="color:#bbb">
</span><span style="color:#bbb">  </span>name:<span style="color:#bbb"> </span>restricted<span style="color:#bbb">
</span><span style="color:#bbb">  </span>annotations:<span style="color:#bbb">
</span><span style="color:#bbb">    </span>seccomp.security.alpha.kubernetes.io/allowedProfileNames:<span style="color:#bbb"> </span><span style="color:#b44">&#39;docker/default&#39;</span><span style="color:#bbb">
</span><span style="color:#bbb">    </span>apparmor.security.beta.kubernetes.io/allowedProfileNames:<span style="color:#bbb"> </span><span style="color:#b44">&#39;runtime/default&#39;</span><span style="color:#bbb">
</span><span style="color:#bbb">    </span>seccomp.security.alpha.kubernetes.io/defaultProfileName:<span style="color:#bbb">  </span><span style="color:#b44">&#39;docker/default&#39;</span><span style="color:#bbb">
</span><span style="color:#bbb">    </span>apparmor.security.beta.kubernetes.io/defaultProfileName:<span style="color:#bbb">  </span><span style="color:#b44">&#39;runtime/default&#39;</span><span style="color:#bbb">
</span><span style="color:#bbb"></span>spec:<span style="color:#bbb">
</span><span style="color:#bbb">  </span>privileged:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">false</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span><span style="color:#080;font-style:italic"># Required to prevent escalations to root.</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span>allowPrivilegeEscalation:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">false</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span><span style="color:#080;font-style:italic"># This is redundant with non-root + disallow privilege escalation,</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span><span style="color:#080;font-style:italic"># but we can provide it for defense in depth.</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span>requiredDropCapabilities:<span style="color:#bbb">
</span><span style="color:#bbb">    </span>-<span style="color:#bbb"> </span>ALL<span style="color:#bbb">
</span><span style="color:#bbb">  </span><span style="color:#080;font-style:italic"># Allow core volume types.</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span>volumes:<span style="color:#bbb">
</span><span style="color:#bbb">    </span>-<span style="color:#bbb"> </span><span style="color:#b44">&#39;configMap&#39;</span><span style="color:#bbb">
</span><span style="color:#bbb">    </span>-<span style="color:#bbb"> </span><span style="color:#b44">&#39;emptyDir&#39;</span><span style="color:#bbb">
</span><span style="color:#bbb">    </span>-<span style="color:#bbb"> </span><span style="color:#b44">&#39;projected&#39;</span><span style="color:#bbb">
</span><span style="color:#bbb">    </span>-<span style="color:#bbb"> </span><span style="color:#b44">&#39;secret&#39;</span><span style="color:#bbb">
</span><span style="color:#bbb">    </span>-<span style="color:#bbb"> </span><span style="color:#b44">&#39;downwardAPI&#39;</span><span style="color:#bbb">
</span><span style="color:#bbb">    </span><span style="color:#080;font-style:italic"># Assume that persistentVolumes set up by the cluster admin are safe to use.</span><span style="color:#bbb">
</span><span style="color:#bbb">    </span>-<span style="color:#bbb"> </span><span style="color:#b44">&#39;persistentVolumeClaim&#39;</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span>hostNetwork:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">false</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span>hostIPC:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">false</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span>hostPID:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">false</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span>runAsUser:<span style="color:#bbb">
</span><span style="color:#bbb">    </span><span style="color:#080;font-style:italic"># Require the container to run without root privileges.</span><span style="color:#bbb">
</span><span style="color:#bbb">    </span>rule:<span style="color:#bbb"> </span><span style="color:#b44">&#39;MustRunAsNonRoot&#39;</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span>seLinux:<span style="color:#bbb">
</span><span style="color:#bbb">    </span><span style="color:#080;font-style:italic"># This policy assumes the nodes are using AppArmor rather than SELinux.</span><span style="color:#bbb">
</span><span style="color:#bbb">    </span>rule:<span style="color:#bbb"> </span><span style="color:#b44">&#39;RunAsAny&#39;</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span>supplementalGroups:<span style="color:#bbb">
</span><span style="color:#bbb">    </span>rule:<span style="color:#bbb"> </span><span style="color:#b44">&#39;MustRunAs&#39;</span><span style="color:#bbb">
</span><span style="color:#bbb">    </span>ranges:<span style="color:#bbb">
</span><span style="color:#bbb">      </span><span style="color:#080;font-style:italic"># Forbid adding the root group.</span><span style="color:#bbb">
</span><span style="color:#bbb">      </span>-<span style="color:#bbb"> </span>min:<span style="color:#bbb"> </span><span style="color:#666">1</span><span style="color:#bbb">
</span><span style="color:#bbb">        </span>max:<span style="color:#bbb"> </span><span style="color:#666">65535</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span>fsGroup:<span style="color:#bbb">
</span><span style="color:#bbb">    </span>rule:<span style="color:#bbb"> </span><span style="color:#b44">&#39;MustRunAs&#39;</span><span style="color:#bbb">
</span><span style="color:#bbb">    </span>ranges:<span style="color:#bbb">
</span><span style="color:#bbb">      </span><span style="color:#080;font-style:italic"># Forbid adding the root group.</span><span style="color:#bbb">
</span><span style="color:#bbb">      </span>-<span style="color:#bbb"> </span>min:<span style="color:#bbb"> </span><span style="color:#666">1</span><span style="color:#bbb">
</span><span style="color:#bbb">        </span>max:<span style="color:#bbb"> </span><span style="color:#666">65535</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span>readOnlyRootFilesystem:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">false</span><span style="color:#bbb">
</span><span style="color:#bbb"></span></code></pre></div>  </td>
        </tr>
    </tbody>
</table>

<h2 id="policy-reference">Policy Reference</h2>

<h3 id="privileged">Privileged</h3>

<p><strong>Privileged</strong> - determines if any container in a pod can enable privileged mode.
By default a container is not allowed to access any devices on the host, but a
&ldquo;privileged&rdquo; container is given access to all devices on the host. This allows
the container nearly all the same access as processes running on the host.
This is useful for containers that want to use linux capabilities like
manipulating the network stack and accessing devices.</p>

<h3 id="host-namespaces">Host namespaces</h3>

<p><strong>HostPID</strong> - Controls whether the pod containers can share the host process ID
namespace. Note that when paired with ptrace this can be used to escalate
privileges outside of the container (ptrace is forbidden by default).</p>

<p><strong>HostIPC</strong> - Controls whether the pod containers can share the host IPC
namespace.</p>

<p><strong>HostNetwork</strong> - Controls whether the pod may use the node network
namespace. Doing so gives the pod access to the loopback device, services
listening on localhost, and could be used to snoop on network activity of other
pods on the same node.</p>

<p><strong>HostPorts</strong> - Provides a whitelist of ranges of allowable ports in the host
network namespace. Defined as a list of <code>HostPortRange</code>, with <code>min</code>(inclusive)
and <code>max</code>(inclusive). Defaults to no allowed host ports.</p>

<p><strong>AllowedHostPaths</strong> - See <a href="../../../user-guide/pod-security-policy#volumes-and-file-systems">Volumes and file systems</a>.</p>

<h3 id="volumes-and-file-systems">Volumes and file systems</h3>

<p><strong>Volumes</strong> - Provides a whitelist of allowed volume types. The allowable values
correspond to the volume sources that are defined when creating a volume. For
the complete list of volume types, see <a href="../../storage/volumes.1#types-of-volumes">Types of
Volumes</a>. Additionally, <code>*</code>
may be used to allow all volume types.</p>

<p>The <strong>recommended minimum set</strong> of allowed volumes for new PSPs are:</p>

<ul>
<li>configMap</li>
<li>downwardAPI</li>
<li>emptyDir</li>
<li>persistentVolumeClaim</li>
<li>secret</li>
<li>projected</li>
</ul>

<p><strong>FSGroup</strong> - Controls the supplemental group applied to some volumes.</p>

<ul>
<li><em>MustRunAs</em> - Requires at least one <code>range</code> to be specified. Uses the
minimum value of the first range as the default. Validates against all ranges.</li>
<li><em>RunAsAny</em> - No default provided. Allows any <code>fsGroup</code> ID to be specified.</li>
</ul>

<p><strong>AllowedHostPaths</strong> - This specifies a whitelist of host paths that are allowed
to be used by hostPath volumes. An empty list means there is no restriction on
host paths used. This is defined as a list of objects with a single <code>pathPrefix</code>
field, which allows hostPath volumes to mount a path that begins with an
allowed prefix, and a <code>readOnly</code> field indicating it must be mounted read-only.
For example:</p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-yaml" data-lang="yaml">allowedHostPaths:<span style="color:#bbb">
</span><span style="color:#bbb">  </span><span style="color:#080;font-style:italic"># This allows &#34;/foo&#34;, &#34;/foo/&#34;, &#34;/foo/bar&#34; etc., but</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span><span style="color:#080;font-style:italic"># disallows &#34;/fool&#34;, &#34;/etc/foo&#34; etc.</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span><span style="color:#080;font-style:italic"># &#34;/foo/../&#34; is never valid.</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span>-<span style="color:#bbb"> </span>pathPrefix:<span style="color:#bbb"> </span><span style="color:#b44">&#34;/foo&#34;</span><span style="color:#bbb">
</span><span style="color:#bbb">    </span>readOnly:<span style="color:#bbb"> </span><span style="color:#a2f;font-weight:bold">true</span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic"># only allow read-only mounts</span></code></pre></div>
<blockquote class="warning">
  <div><p><strong>Warning:</strong> There are many ways a container with unrestricted access to the host
filesystem can escalate privileges, including reading data from other
containers, and abusing the credentials of system services, such as Kubelet.</p>

<p>Writeable hostPath directory volumes allow containers to write
to the filesystem in ways that let them traverse the host filesystem outside the <code>pathPrefix</code>.
<code>readOnly: true</code>, available in Kubernetes 1.11+, must be used on <strong>all</strong> <code>allowedHostPaths</code>
to effectively limit access to the specified <code>pathPrefix</code>.</p>
</div>
</blockquote>

<p><strong>ReadOnlyRootFilesystem</strong> - Requires that containers must run with a read-only
root filesystem (i.e. no writable layer).</p>

<h3 id="flexvolume-drivers">FlexVolume drivers</h3>

<p>This specifies a whiltelist of flex volume drivers that are allowed to be used
by flexVolume. An empty list or nil means there is no restriction on the drivers.
Please make sure <a href="../../../user-guide/pod-security-policy#volumes-and-file-systems"><code>volumes</code></a> field  contains the
<code>flexVolume</code> volume type, no FlexVolume driver is allowed otherwise.</p>

<p>For example:</p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-yaml" data-lang="yaml">apiVersion:<span style="color:#bbb"> </span>extensions/v1beta1<span style="color:#bbb">
</span><span style="color:#bbb"></span>kind:<span style="color:#bbb"> </span>PodSecurityPolicy<span style="color:#bbb">
</span><span style="color:#bbb"></span>metadata:<span style="color:#bbb">
</span><span style="color:#bbb">  </span>name:<span style="color:#bbb"> </span>allow-flex-volumes<span style="color:#bbb">
</span><span style="color:#bbb"></span>spec:<span style="color:#bbb">
</span><span style="color:#bbb">  </span><span style="color:#080;font-style:italic"># ... other spec fields</span><span style="color:#bbb">
</span><span style="color:#bbb">  </span>volumes:<span style="color:#bbb">
</span><span style="color:#bbb">    </span>-<span style="color:#bbb"> </span>flexVolume<span style="color:#bbb">
</span><span style="color:#bbb">  </span>allowedFlexVolumes:<span style="color:#bbb"> 
</span><span style="color:#bbb">    </span>-<span style="color:#bbb"> </span>driver:<span style="color:#bbb"> </span>example/lvm<span style="color:#bbb">
</span><span style="color:#bbb">    </span>-<span style="color:#bbb"> </span>driver:<span style="color:#bbb"> </span>example/cifs</code></pre></div>
<h3 id="users-and-groups">Users and groups</h3>

<p><strong>RunAsUser</strong> - Controls the what user ID containers run as.</p>

<ul>
<li><em>MustRunAs</em> - Requires at least one <code>range</code> to be specified. Uses the
minimum value of the first range as the default. Validates against all ranges.</li>
<li><em>MustRunAsNonRoot</em> - Requires that the pod be submitted with a non-zero
<code>runAsUser</code> or have the <code>USER</code> directive defined (using a numeric UID) in the
image. No default provided. Setting <code>allowPrivilegeEscalation=false</code> is strongly
recommended with this strategy.</li>
<li><em>RunAsAny</em> - No default provided. Allows any <code>runAsUser</code> to be specified.</li>
</ul>

<p><strong>SupplementalGroups</strong> - Controls which group IDs containers add.</p>

<ul>
<li><em>MustRunAs</em> - Requires at least one <code>range</code> to be specified. Uses the
minimum value of the first range as the default. Validates against all ranges.</li>
<li><em>RunAsAny</em> - No default provided. Allows any <code>supplementalGroups</code> to be
specified.</li>
</ul>

<h3 id="privilege-escalation">Privilege Escalation</h3>

<p>These options control the <code>allowPrivilegeEscalation</code> container option. This bool
directly controls whether the
<a href="https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt" target="_blank"><code>no_new_privs</code></a>
flag gets set on the container process. This flag will prevent <code>setuid</code> binaries
from changing the effective user ID, and prevent files from enabling extra
capabilities (e.g. it will prevent the use of the <code>ping</code> tool). This behavior is
required to effectively enforce <code>MustRunAsNonRoot</code>.</p>

<p><strong>AllowPrivilegeEscalation</strong> - Gates whether or not a user is allowed to set the
security context of a container to <code>allowPrivilegeEscalation=true</code>. This
defaults to allowed so as to not break setuid binaries. Setting it to <code>false</code>
ensures that no child process of a container can gain more privileges than its parent.</p>

<p><strong>DefaultAllowPrivilegeEscalation</strong> - Sets the default for the
<code>allowPrivilegeEscalation</code> option. The default behavior without this is to allow
privilege escalation so as to not break setuid binaries. If that behavior is not
desired, this field can be used to default to disallow, while still permitting
pods to request <code>allowPrivilegeEscalation</code> explicitly.</p>

<h3 id="capabilities">Capabilities</h3>

<p>Linux capabilities provide a finer grained breakdown of the privileges
traditionally associated with the superuser. Some of these capabilities can be
used to escalate privileges or for container breakout, and may be restricted by
the PodSecurityPolicy. For more details on Linux capabilities, see
<a href="http://man7.org/linux/man-pages/man7/capabilities.7.html" target="_blank">capabilities(7)</a>.</p>

<p>The following fields take a list of capabilities, specified as the capability
name in ALL_CAPS without the <code>CAP_</code> prefix.</p>

<p><strong>AllowedCapabilities</strong> - Provides a whitelist of capabilities that may be added
to a container. The default set of capabilities are implicitly allowed. The
empty set means that no additional capabilities may be added beyond the default
set. <code>*</code> can be used to allow all capabilities.</p>

<p><strong>RequiredDropCapabilities</strong> - The capabilities which must be dropped from
containers. These capabilities are removed from the default set, and must not be
added. Capabilities listed in <code>RequiredDropCapabilities</code> must not be included in
<code>AllowedCapabilities</code> or <code>DefaultAddCapabilities</code>.</p>

<p><strong>DefaultAddCapabilities</strong> - The capabilities which are added to containers by
default, in addition to the runtime defaults. See the <a href="https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities" target="_blank">Docker
documentation</a>
for the default list of capabilities when using the Docker runtime.</p>

<h3 id="selinux">SELinux</h3>

<ul>
<li><em>MustRunAs</em> - Requires <code>seLinuxOptions</code> to be configured. Uses
<code>seLinuxOptions</code> as the default. Validates against <code>seLinuxOptions</code>.</li>
<li><em>RunAsAny</em> - No default provided. Allows any <code>seLinuxOptions</code> to be
specified.</li>
</ul>

<h3 id="apparmor">AppArmor</h3>

<p>Controlled via annotations on the PodSecurityPolicy. Refer to the <a href="../../../tutorials/clusters/apparmor/index.html#podsecuritypolicy-annotations">AppArmor
documentation</a>.</p>

<h3 id="seccomp">Seccomp</h3>

<p>The use of seccomp profiles in pods can be controlled via annotations on the
PodSecurityPolicy. Seccomp is an alpha feature in Kubernetes.</p>

<p><strong>seccomp.security.alpha.kubernetes.io/defaultProfileName</strong> - Annotation that
specifies the default seccomp profile to apply to containers. Possible values
are:</p>

<ul>
<li><code>unconfined</code> - Seccomp is not applied to the container processes (this is the
default in Kubernetes), if no alternative is provided.</li>
<li><code>docker/default</code> - The Docker default seccomp profile is used.</li>
<li><code>localhost/&lt;path&gt;</code> - Specify a profile as a file on the node located at
<code>&lt;seccomp_root&gt;/&lt;path&gt;</code>, where <code>&lt;seccomp_root&gt;</code> is defined via the
<code>--seccomp-profile-root</code> flag on the Kubelet.</li>
</ul>

<p><strong>seccomp.security.alpha.kubernetes.io/allowedProfileNames</strong> - Annotation that
specifies which values are allowed for the pod seccomp annotations. Specified as
a comma-delimited list of allowed values. Possible values are those listed
above, plus <code>*</code> to allow all profiles. Absence of this annotation means that the
default cannot be changed.</p>

<h3 id="sysctl">Sysctl</h3>

<p>Controlled via annotations on the PodSecurityPolicy. Refer to the <a href="../../cluster-administration/sysctl-cluster/index.html#podsecuritypolicy-annotations">Sysctl documentation</a>.</p>
















				<div class="issue-button-container">
					<p><a href="../../../user-guide/pod-security-policy"><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/concepts/policy/pod-security-policy.md?pixel" alt="Analytics" /></a></p>
					
					
					<script type="text/javascript">
					PDRTJS_settings_8345992 = {
					"id" : "8345992",
					"unique_id" : "\/docs\/concepts\/policy\/pod-security-policy\/",
					"title" : "Pod Security Policies",
					"permalink" : "https:\/\/kubernetes.io\/docs\/concepts\/policy\/pod-security-policy\/"
					};
					(function(d,c,j){if(!document.getElementById(j)){var pd=d.createElement(c),s;pd.id=j;pd.src=('https:'==document.location.protocol)?'https://polldaddy.com/js/rating/rating.js':'http://i0.poll.fm/js/rating/rating.js';s=document.getElementsByTagName(c)[0];s.parentNode.insertBefore(pd,s);}}(document,'script','pd-rating-js'));
					</script>
					<a href="../../../user-guide/pod-security-policy" onclick="window.open('https://github.com/kubernetes/website/issues/new?title=Issue%20with%20' +
					'k8s.io'+window.location.pathname)" class="button issue">Create an Issue</a>
					
					
					
					<a href="../../../editdocs#docs/concepts/policy/pod-security-policy.md" class="button issue">Edit this Page</a>
					
				</div>
			</div>
		</section>
		<footer>
    <main class="light-text">
        <nav>
            
            
            
            <a href="../../../home.1">Documentation</a>
            
            <a href="../../../../blog/index.html">Blog</a>
            
            <a href="../../../../partners/index.html">Partners</a>
            
            <a href="../../../../community/index.html">Community</a>
            
            <a href="../../../../case-studies/index.html">Case Studies</a>
            
        </nav>
        <div class="social">
            <div>
                <a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
                <a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
                <a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
            </div>
            <div>
                <a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>Stack Overflow</span></a>
                <a href="https://discuss.kubernetes.io" class="mailing-list"><span>Forum</span></a>
                <a href="https://calendar.google.com/calendar/embed?src=nt2tcnbtbied3l6gi2h29slvc0%40group.calendar.google.com" class="calendar"><span>Events Calendar</span></a>
            </div>
            <div>
                <a href="../../../getting-started-guides/index.html" class="button">Get Kubernetes</a>
                <a href="https://git.k8s.io/community/contributors/guide" class="button">Contribute</a>
            </div>
        </div>
        <div id="miceType" class="center">
            &copy; 2018 The Kubernetes Authors | Documentation Distributed under <a href="https://git.k8s.io/website/LICENSE" class="light-text">CC BY 4.0</a>
        </div>
        <div id="miceType" class="center">
            Copyright &copy; 2018 The Linux Foundation&reg;. All rights reserved. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our <a href="https://www.linuxfoundation.org/trademark-usage" class="light-text">Trademark Usage page</a>
        </div>
    </main>
</footer>

		<button class="flyout-button" onclick="kub.toggleToc()"></button>

<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
    (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-36037335-10', 'auto');
ga('send', 'pageview');


(function () {
    window.addEventListener('DOMContentLoaded', init)

        
        function init() {
            window.removeEventListener('DOMContentLoaded', init)
                hideNav()
        }

    function hideNav(toc){
        if (!toc) toc = document.querySelector('#docsToc')
        if (!toc) return
            var container = toc.querySelector('.container')

                
                if (container) {
                    if (container.childElementCount === 0 || toc.querySelectorAll('a.item').length === 1) {
                        toc.style.display = 'none'
                            document.getElementById('docsContent').style.width = '100%'
                    }
                } else {
                    requestAnimationFrame(function () {
                        hideNav(toc)
                    })
                }
    }
})();
</script>



	</body>
</html>